Email Flooding Makes A Comeback With Thousands Of Sent Messages In A Single Blast

Email Flooding Makes A Comeback With Thousands Of Sent Messages In A Single Blast

Published March 4, 2019

Most of us have busy email accounts, especially at work. Clearing an inbox is something we aspire to, but few manage to achieve. Now, imagine opening your work email to find thousands and thousands of emails flooding your inbox. Email flooding is making a comeback and while users are scratching their heads, there’s a very good chance their email accounts are under attack. Unfortunately, that’s just the beginning.

Hackers are going old school with email flooding for one main reason: It works. The reason it’s so effective is because swimming among the thousands of emails are those about legitimate account activity. The flood of email distracts victims while they are perpetrating some form of Business Email Compromise (BEC). Email content about fraudulent transactions ranging from account changes like password changes, purchase receipts, and other financial transactions are lost somewhere in the tsunami that hit your inbox. The idea behind flooding is that you’ll never find those critical emails in an inbox seeming to have no end. Aside from personal accounts affected, the potential damage done to a business and its financial accounts is impossible to know until it’s too late. By the time these damaging emails are discovered, hackers are busy counting your company’s money.

Also called “spam blast,” email flooding is a huge challenge for anyone, and IT departments are at a loss protecting sensitive information from theft. The email spammers who once used botnets and free mail accounts for the deluge now have all the information they need on the dark web. For about $40, a hacker gets a user’s email account and more, allowing them to send 20,000 emails to an account. Each of the emails has an individual sender. As such, there’s no real way to block the senders and spam filters are easily bypassed.

Security professionals see the need for new and improved methods of detection, especially when the future of a business is at stake. Company IT departments and cybersecurity providers need to take some time to reevaluate their email security, including user email behavior profiling. In addition, combining profiling with successfully detecting email anomalies can help prevent email flooding attacks at the outset. Commitment to this anti-spam strategy is a great start, but not enough on its own.

Training employees to spot email spam is a critical part of this plan. This is because putting malicious links and attachments in email messages remains the top method for getting information on an organization; be it someone’s email login credentials to the passwords to the financial accounts. Ongoing cybersecurity education is necessary to detect and prevent email spam attacks, and especially phishing.

Hackers may be returning to an old tactic with email flooding attacks, but new and improved approaches to email security may be their biggest problem.

If your financial institution was used with DanaBot Trojan as part of its target list, your email address may be causing trouble. Victims who got hooked by the DanaBot lure may have had their email addresses used by hackers to send out email spam to catch other victims. Creators of the DanaBot Trojan recently updated the malware with the ability to gather email addresses from its victims’ contacts. This allows them to send countless spam emails to those contacts–including family and friends–using your good name as the sender. Recipients may be much more likely to click on attachments and links to in emails from senders they know and trust. It’s designed to take advantage of even more victims by stealing their data and infecting devices with malware. Once the DanaBot victim logs in to their email account, spam emails are instantly sent out.

Research by ESET shows the DanaBot Trojan scope is beyond a typical banking Trojan. This Trojan regularly adds new hacking features, tests distribution options, and may be acting in concert with other cybercriminal gangs. Their attacks have been used worldwide–showing no signs of slowing down and are in fact improving with age. In particular, DanaBot’s email spam contains ZIP attachments with a decoy PDF file. It also contains a .VBS (Virtual Basic Script) attachment full of malware specifically targeting Internet Explorer and Microsoft users. Should the VBS file be activated, even more malware is downloaded.

With email spam notorious for carrying malware infections of all types, basic email phishing defenses are more important than ever to use. Especially in the DanaBot case, recipients likely know and trust the sender, leading to even more victims. Below are some basic email spam protections, since you can assume much of it is sent by malicious actors.

Know that even an email address from a friend can be hijacked by hackers. Hover your mouse over the sender address to confirm the sender or click the arrow next to the name. There is some way to see the entire address, depending on the way you collect yours. If you don’t know how, ask someone or perform a quick internet search. Even though it may appear to be from someone you know, never click on attachments or URL’s before contacting the sender to make sure the email is legitimate and that attachments are safe.

Never reply to a spam email. A reply or clicking on “unsubscribe” tells hackers you do exist. Doing so alerts them you may be a prime target for further hacks. If you reply to the message, it will go right back to the hackers who will then try to further convince you they are legit. One simple thing to remember: Don’t reply: Delete.

Don’t forward any spam emails, ever. Spammers harvest email addresses of anyone, even those on a “friends and family” email list. Involving your contacts in a spam attack, although you are unaware, is the wrong way to endear yourself to them.

In the biggest breach since it began 14 years ago, hackers once again struck the beleaguered Facebook and its users in September. This breach compromised millions of accounts. In hit after hit, the company once again faces criticism about how this latest breach happened. The only bright side Facebook had to report is that the hackers were not nation-state actors, but merely a group trying to make a buck. That’s an important point for Facebook to make, considering previous breaches by Cambridge Analytica and Russian-state actors.

Although it may be good news, it’s cold comfort to the millions affected by this latest hack. The Wall Street Journal reported the hackers behind the massive breach were a group of Facebook and Instagram spammers. The group was previously known to Facebook’s security team, hiding their identity as a digital marketing company. The data stolen can easily be used in targeted spam email attacks.

According to Barkley, email spam is still the number one delivery vehicle for most malware. When any breach happens, especially one the size of the latest Facebook hack, users need to be aware of increased spam email attacks. The information stolen from users gives hackers the personal data they need for targeted emails. They exploit specific user interests, contacts, and other information unique to a user. They easily masquerade as an email that is safe to open and follow links or download attached files. Once that happens, malware is on the loose, infecting devices and stealing even more sensitive data like passwords and financial information. After a data breach, users need to pay particular attention to emails catering to their personal lives, especially those with links or attachments. In these cases, curiosity is dangerous thing. Spammers know the easiest way to spread malware is through a socially engineered email attack. The more they know about a user, the more likely spam email will be successful.

If you are not expecting to receive a link, even if the message preceding it seems to have a very good handle on who you are, don’t click on it. That’s what these scammers and those like them want you to do. It doesn’t even matter who the sender may be, because if they have Facebook information, they may just know the information of a family member or good friend and pretend to be that person. So, instead of just clicking away, ask the sender in a text, completely new email message, or by phone call.

The extent of the hack, including just how many Facebook users were affected and how much personal information was compromised is still unknown. Although the estimates may vary, the true number of users affected may never really be known. Once data is compromised, it’s impossible to know where it goes, how many hackers have the information, and how long it will live in cyberspace–most likely on the Dark Web. For now, the responsibility for safety falls on the user. The need to be hyper-aware of spam email attacks needs to be an everyday way of cyber life and security. Enormous data breaches like the recent Facebook attack should be yet another warning to users that personal cybersecurity is more important now than ever.

Unless you’ve been under a rock, you know that email phishing is a favorite and effective hacker tool worldwide. A report by the Ponemon Institute and Keeper Security finds negligent employees are the #1 cause behind data breaches at small-to-medium-size businesses (SMBs), and phishing emails are the #1 form of attack on those employees.

According to the U.S. Securities and Exchange Commission, 60% of SMBs are out of business within six months of a security breach, and email phishing is a growing source of those data breaches. Symantec’s “2018 Internet Security Threat Report” estimates that one of every 412 emails contains malware; a big drop from 2017's 1 in 131. This is very positive direction that can be attributed to IT efforts across all business types. The down side is that thousands of emails are received daily by most companies, so the job is far from over – all it takes is one employee misstep to unleash a world of hurt on a company and its data.

Knowing the signs and shapes phishing emails take is a huge part of workplace data security. Both employees and employers who know take proactive steps toward a cyber-safe workplace.

EMPLOYEE AWARENESS

Never assume an email is trustworthy just because it’s from a co-worker or internal department – it’s very easy for hackers to disguise emails. Carefully check the email address or URL of the sender and be aware of spelling and grammatical errors in email text. If you see a suspicious email from a known sender, ask them directly if they sent it – better safe than sorry.

Look for generic greetings like “employee” or “customer.” Most phishing emails are sent to tons of people at the same time and don’t address employees by name.

Beware email attachments using suspicious file extensions like .exe, .pptm and .docm. Any extension out of the ordinary is suspect, but no extension is guaranteed to be safe.

Emails asking for immediate action or are aggressive about getting a response are hacker favorites. They rely on scare tactics to get your attention and open them – you’re one step away from clicking on a malicious link.

Immediately report suspicious emails to the IT department or those responsible for online security. Making them aware enables them to block and investigate senders.

EMPLOYER AWARENESS

Conduct ongoing employee cyber education. Address the latest phishing and other hacking tactics and make mock scenarios part of the training. Then, re-test employees so you know where improvements need to be made.

Email phishing has become so successful that it’s now referred to as “weaponized email.” Not a very pleasant thing to think about, but research shows it’s time you did. ValiMail's 2017 Email Fraud Landscape Report finds that one of five emails in your inbox may come from a disreputable source. A report by Google and the University of California at Berkeley says phishing is the biggest threat to online identities, particularly to individuals who have already experienced internet data breaches.

Experts tell users to pay serious attention to their inboxes and follow security steps to minimize vulnerability to weaponized email. Here are some guidelines that everyone should live by:

1. Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software. Do some research to ensure you are getting the most up-to-date software and keep your security programs updated at all times to ensure that you are blocking new viruses and spyware.

2. Never enter personal information in a pop-up screen. Do not click on links in a pop-up screen or copy web addresses into your browser from pop-ups. Legitimate enterprises should never ask you to submit personal information in pop-up screens, so don’t do it.

3. Communicate personal information only via phoneor secure web sites. When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or a “https:” URL where the “s” stands for “secure” rather than just “http." If you don't see the "s," use the telephone.

4. Do not click on links, download files, or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know what they contain, even if you know the sender.

5. Never email personal or financial information, even if you are close with the recipient. You never know who may gain access to your email account, or to the person’s account to whom you are emailing. Besides that, email should not be considered a secure form of communication.

It’s not the musical comedy play by Monty Python creators; it’s something that isn’t particularly funny, in fact. A researcher has discovered that a massive spambot from a server hosted in the Netherlands was responsible for exposing somewhere around 711 million email addresses and corresponding passwords to whomever wanted to collect and use them. It is being referred to as the largest spam list ever seen by the security analyst Troy Hunt.

A spambot is a computer application that collects and sends spam automatically in mass quantities. They can also be used by malicious actors to carry out attacks against a website. Because of the number of email addresses included in spambots, they can spread malware very quickly, making them ideal for phishing.

Businesses try to protect users from spam by implementing anti-spam tools and anti-malware software. However, because the addresses can be changed to appear to come from legitimate sources, they often make it past them and into users’ in boxes.

That’s why learning how to identify phishing is so important. No matter how many tools are implemented to stop spam, all it takes is for one person to click a malicious link or attachment that sends malware throughout a network. We saw this in action with the WannaCry outbreak and subsequent NotPetya.

So here are some clues that an email may be trying to hook you:

There are misspelled words, grammatical mistakes, and/or the language it’s written in may be used incorrectly.

It’s sent from an unknown sender.

It’s sent from a known sender, but includes a link or attachment that you are not expecting to receive or that seems even a tiny bit suspect.

The sender is requesting information that he or she normally wouldn’t.

There is a sense of urgency intended to make you act without putting enough thought into it.

There is threatening language hinting at big penalties if you don’t do what is asked.

The graphics are not current, are blurred, skewed, or otherwise not quite right.

And what should you do if you receive an email message that you suspect is phishing?

If you know it’s phishing, just delete it right away.

Definitely do not click on any links or attachments.

If you are not quite certain, verify with the sender by texting, calling, walking to his or her desk, or in some other way besides replying to the message.

Ask your supervisor or IT support for assistance.

If you would like to find out if your email address has been stolen and potentially used to spread spam or is included in a list for receiving spam, you can check Troy Hunt’s website haveibeenpwned.com. If so, immediately change your password. Also, turn on multifactor authentication (MFA) for your email account. This will require you to provide some additional information before you’re allowed access to your account. Finally, make sure your secondary or recovery email address or information is current at all times. This will help you reclaim your email address or recover your password should that be necessary.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.